This is the second post in the new section of the website where I will explain in detail a specific protocol and show examples of different ways to exploit different vulnerable implementations. To make these posts I have used as an example implementations that can be found in the hackthebox.eu, as well as Ippsec videos.
The Secure Shell protocol allows remote access to a server via a secure channel where all information is encrypted. By default it runs on port 22.
The two main forms of authentication are password authentication and public key authentication.
Password authentication
This is the basic authentication, which is performed by the following command:
ssh user@server
Authentication by public key:
A public (id_rsa.pub) and a private key (id_rsa) pair are generated on the server. The public key is saved in the authorized keys section (in linux, it is saved in the authorized_keys file in the .ssh folder in the user’s home).
The private key id_rsa is given to the user who will access it anonymously.
In this way, it is enough to give the private key when accessing by ssh to be able to enter without entering the password:
Create public and private key to access a server
Cracking SSH key
If we have an encrypted id_rsa like this
We can try to decipher it with the John TheRipper tool.
First we modify the format to one that JohnTheRipper understands with the sshng2john.py script that you can download here.
Then we just have to pass it to John with the dictionary we want to use:
It is important to assign permission 600 to the file because if the file has more permissions than necessary, an error will appear:
Obtain private key from public key
There is a vulnerability in RSA, and that is that if you use two primes that are too small to generate the public and private keys, then it is possible to find them out and generate the private key from the public one.
To understand this in detail, it is necessary to have a thorough understanding of the asymmetric cryptography algorithm RSA, and to understand how the public and private keys are generated. In the future I could write a cryptography post explaining it in detail.
We will start from having a public key, like the following one:
We then run the tool RsaCtfTool
Now we just have to copy the private key, give it permissions and log in:
Banner Leak
It is important to pay attention to the banner that returns ssh when we connect. Let’s look at this example where we have launched nmap:
We can see that the SSH service opened on port 2222 reveals that the server is Ubuntu. But it also reveals us the last applied OpenSSH patch, 4ubuntu2.2.
If we search for this information in google, we can find out when this patch was released:
This information can be very valuable in the future in case we can use some kernel exploit.
Bruteforce
User Enumeration
We can try to list users with the following script:
Add an old Key Exchange Algorithm
Sometimes a server needs to use some old key exchange algorithm that is not usually offered by default. In those cases, we will receive an error similar to this one:
In these cases what we must do is add some of the algorithms that the server offers us, for example the last one, by means of the parameter -okexAlgorithms=+diffie-hellman-group1-sha1:
SSH via IPv6
Sometimes a server may have the iptables configured so that access via ssh is not possible. However, this only works for IPv4, so you may be able to access it via IPv6.
For this we only need to know the IPv6 of the server:
And connect as we usually would but using that IPv6, with password or private key:
Allow SSH Connection
I hope that all this information has been useful to you. I haveThere are many more attack vectors and ways to compromise the security of the SSH protocol that you can find here.
Lethani.
2 thoughts on “Infrastructure Hacking: SSH Protocol”